"Blue Code": A Worm That Fights "Code Red" and IIS Servers

07 Sep 2001Virus News

Kaspersky Lab, an international data-security software developer, reports the discovery of "Blue Code" - a new malicious program, which attacks remote Web servers operating on Microsoft's Internet Information Server (IIS) platform. At the moment, Kaspersky Lab has received several reports of infections by this worm from China.

Similar to the notorious "Code Red" worm discovered earlier this year, "Blue Code" attacks IIS servers. However, to penetrate into target computers, this worm exploits the Web Directory Traversal vulnerability in IIS security that was discovered in October 2000. The worm penetration procedure consists of three stages. First of all, "Blue Code" gains access to the remote computer's hard disk, then uploads there a worm-carrying file from an already infected IIS server and runs this file.

The worm-carrying file creates several additional files in the root directory of the C drive: SVCHOST.EXE, HTTPEXT.DLL and D.VBS. The first two names are reserved by Windows and belong to the non-malicious programs that are included in Windows 2000/NT standard distribution. In this way, the worm tries to disguise its presence on the infected IIS server.

The malicious SVCHOST.EXE is registered in the start-up section of the Windows system registry so the worm will become active each time the computer is rebooted.

In turn, D.VBS performs several actions that are aimed at the removal of active "Code Red" copies from the system memory and creating defense against future "Code Red" attacks. In particular, "Blue Code" locates and terminates a INETINFO.EXE application that is responsible for access to the Web server's resources (this terminates active "Code Red" copies). In addition, the worm changes the processing of specialized HTTP requests that make it impossible for "Code Red" copies to penetrate this IIS server in the future.

For further spreading, "Blue Code" initiates 100 active threads that scan randomly selected IP-addresses and attempts to plant its copy to the available remote computers. The number of active worm threads can significantly slow down the infected IIS-server's productivity.

The worm also has a payload routine that performs a DoS-attack (Denial of Service) on the http://www.nsfocus.com Web server from 10:00 am till 11:00 am UTC time.